| ▲ | benatkin 6 hours ago | |
No, but Podman is. The recent escapes at the actual container level have been pretty edge case. It's been some years since a general container escape has been found. Docker's CVE-2025-9074 was totally unnecessary and due to Docker being Docker. | ||
| ▲ | eyberg 5 hours ago | parent | next [-] | |
No they have not been. There were at least 16 container escapes last year - at least 8 of them were at the runtime layer. I personally spent way too much time looking at this in the past month: https://nanovms.com/blog/last-year-in-container-security runc: https://www.cve.org/CVERecord?id=CVE-2025-31133 nvidia: https://www.cve.org/CVERecord?id=CVE-2025-23266 runc: https://www.cve.org/CVERecord?id=CVE-2025-52565 youki: https://www.cve.org/CVERecord?id=CVE-2025-54867 Also, last time I checked podman uses runc by default. | ||
| ▲ | xienze 5 hours ago | parent | prev [-] | |
The best container security in the world isn’t going to help you when the agent has credentials to third party services. Frankly, I don’t think bad actors care that much about exploiting agents to rm -rf /. It’s much more valuable to have your Google tokens or AWS credentials. | ||